Twitter deleted data potentially crucial to Russia probes

Twitter has deleted tweets and other user data of potentially irreplaceable value to investigators probing Russia’s suspected manipulation of the social media platform during the 2016 election, according to current and former government cybersecurity officials.

Federal investigators now believe Twitter was one of Russia’s most potent weapons in its efforts to promote Donald Trump over Hillary Clinton, the officials say, speaking on the condition of anonymity.

Story Continued Below

By creating and deploying armies of automated bots, fake users, catchy hashtags and bogus ad campaigns, unidentified operatives launched recurring waves of pro-Trump and anti-Clinton story lines via Twitter that were either false or greatly exaggerated, the officials said. Many U.S. investigators believe that their best hope for identifying who was behind these operations, how they collaborated with each other and their suspected links to the Kremlin lies buried within the mountains of data accumulated in recent years by Twitter.

By analyzing Twitter data over time, investigators could establish what one U.S. government cybersecurity consultant described as “pattern of life behavior,” determining when Russian influence operations began, and how they “were trying to nudge the narrative in a certain direction.”

“So if you have access to all this, you can basically see when botnets appeared and disappeared, and how they shaped narrative around certain events,” said the analyst, who could not speak for attribution given company policy.

But a substantial amount of valuable information held by Twitter is lost for good, according to the cybersecurity analysts and other current and former U.S. officials.

One reason is Twitter’s aggressively pro-consumer privacy policies, which generally dictate that once any user revises or deletes their tweets, paid promotions or entire accounts, the company itself must do so as well. Twitter policy requires similar actions by private companies that pay for access to its real-time global data stream and repository of saved data for use in marketing and other commercial analysis.

The other reason is that Russian cyber tradecraft dictates that operatives immediately erase all of their digital breadcrumbs, according to former FBI Executive Assistant Director Robert Anderson and others familiar with Russian influence operations.

The most reliable politics newsletter.

Sign up for POLITICO Playbook and get the latest news, every morning — in your inbox.

By signing up you agree to receive email newsletters or alerts from POLITICO. You can unsubscribe at any time.

Thomas Rid, a Strategic Studies professor at Johns Hopkins University, blamed Twitter for making it easy for Russia and other bad actors to hijack its platform by failing to crack down on suspicious activity, and by then allowing them to cover their tracks simply by hitting the delete key.

“Should bot operators and people who spread hate and abuse have the right to remove content from the public domain? Twitter says yes, and I think it’s a scandal,” said Rid, an expert witness on Russian disinformation campaigns for the Senate intelligence committee’s Russia investigation. “It removes forensic evidence from the public domain, and makes the work of investigators more difficult and maybe impossible.”

“Were Twitter a contractor for the FSB,” the Russian intelligence agency involved in the 2016 campaign to meddle in the U.S. election, Rid said, “they could not have built a more effective disinformation platform.”

Twitter declined to comment on how much relevant data was deleted, whether any of it is potentially retrievable and other questions sent by POLITICO. Instead, spokespeople referred to the fine print of the company’s data retention and privacy policies, which say that, “Once an account has been deactivated, there is a very brief period in which we may be able to access account information, including Tweets.”

“Content deleted by account holders (e.g., Tweets) is generally not available,” the Twitter policy also says.

Several people familiar with Twitter’s ongoing review of Russian activity on its platform said its engineers are trying to ascertain what is available and what is recoverable, in part by trying to find ways of recreating some pockets of particular data that have been permanently deleted.

A daily briefing on politics and cybersecurity — weekday mornings, in your inbox.

By signing up you agree to receive email newsletters or alerts from POLITICO. You can unsubscribe at any time.

They also noted that the company has had to walk a tightrope in balancing the interests of privacy activists who are “very concerned about any suggestions that a tech company would hold their data for any period after its deleted,” and law enforcement agencies that want access to potential evidence of wrongdoing. As such, “it’s a little more complicated than giving an X is gone forever by Y date” answer, one Twitter official cautioned.

Cybersecurity analysts, however, said Twitter has aggressively enforced a “permanent deletion” policy across the board, including publicly shaming at least two companies not adhering to it via cease and desist orders.

As a result, “The limitations created by the hostile actors deleting their actions is potentially high impact” for those U.S. investigators on the various Russia investigations, according to a former senior Senate staff official familiar with how Twitter operates. “They may get lucky and Twitter may have some record of it, but in terms of their stated policy, if accounts or tweets were deleted, they’re gone.”

A second person familiar with Twitter policy agreed with that assessment.

Clint Watts, a former FBI agent who closely monitors Russian manipulation of social media, said Twitter was especially vulnerable because, “The truth is they don’t know who is on their platform, or how bad people are doing bad things.”

Compounding that, Watts said, “When the Russians hit on a big story or get a big falsehood going, they collapse their accounts. They are very good at plausible deniability and covering their tracks.”

Twitter has said it is taking a broad look at Russia’s suspected use of its platform, including how many people might have been affected by disinformation, and whether there are any potential connections between Russian accounts and the Trump campaign and the many high-profile “influencers” associated with it.

But company executives have been far less forthcoming than their counterparts at Facebook in disclosing details of what they have found in internal investigations into suspected Russian activity on their platforms.

Twitter’s briefing to the Senate intelligence committee Sept. 28 infuriated its ranking Democrat, Sen. Mark Warner, who said the company failed to grasp the seriousness of the congressional investigation. Warner also accused Twitter of providing “inadequate” details about what misinformation was spread on its platform by Russian sources during the election.

Warner said Twitter only did the bare minimum of investigation, searching its records for information about accounts with Russian ties that had already been disclosed by Facebook after its own probe.

Based on that information, Twitter said, it shut down 201 accounts associated with the Internet Research Agency, a Russia-linked “troll farm” in which multitudes of workers help spin false narratives for social media. It also said the Russian news site RT, which Twitter linked to the Kremlin, spent nearly $275,000 on its platform last year.

The Senate committee, one of at least three investigating Russian meddling and possible collusion by Trump associates, has summoned Twitter to appear at a Nov. 1 public hearing, along with Facebook and Google.

Former House intelligence committee staffer Mieke Eoyang said she was skeptical that Twitter can completely delete its data, and that at least some of it exists somewhere in the network while other pockets of it could be recoverable.

Recently, Google said it found evidence of Russian manipulation on its platforms by using data it downloaded from Twitter. It used that information to link Russian Twitter accounts to other accounts that used Google’s own services to buy ads, according to a Washington Post report. The Post said that activity occurred without the explicit cooperation of Twitter.

Twitter also would not answer questions about the reported Google findings, including whether they suggest some of the relevant Twitter data still exists, even if only recent information.

Anderson, who spent 15 years chasing and arresting Russian spies for the FBI, cautioned that if any Russian accounts exist because they were not deleted by the Russians themselves, it is likely because President Vladimir Putin, a former spymaster, left them on purpose to misdirect U.S. investigators.

“The KGB was by far one of the most ruthless counter-intelligence organizations the United States has encountered, and Putin was an officer in it for a long time,” Anderson said. “And now put him in charge of all of these high-speed intelligence, cyber capabilities and operations, as Russia’s President, and you have a very formidable adversary.”

Missing out on the latest scoops? Sign up for POLITICO Playbook and get the latest news, every morning — in your inbox.